Tuesday, September 16, 2014

Enterprise security Messiah

There were some articles about looking for talents in computer security industry this last days in the promised land of USA and EU.

I don't think the intention of authors was such but I've start to get images of almost biblical class of saviors for enterprise security issues, almost like a prophets searching and moaning for Messiah 
I suppose such thoughts are politically incorrect to think and speak about, but for me as a shamless non believer into religion of security and with Sunday school experience from communist regime past it is nothing :)

Without much joke it really sounds like searching for someone omnipotent who will cure all wrong in your busted and by evil penetrated enterpsie security and bring salvation ...
Bit silly but makes sense in distorted religious way ... as examples is we look on the SANS for
http://www.sans.org/critical-security-controls/ and just try to imagine how much it really cost to implement it, it is obvious why security managers prefer searching for miracles and messiah. You need faith to belive into your savior instead of start working and finding competent professionals, not a miracle makers

After summer 2014

Recently I've finished  2 three day on-demand trainings.  First one was for forensic bridges and write-blockers and the other one was for elcomsoft password recovery bundle. Second was was challenging because there is no official training fro product we decided to modify our anti forensics and encryption materials to create suitable training bundle. From forensic point of view most challenging task is to keep forensically correct environment while data is going from one tool to another and back into final report.

I was trying to avoid heavy math as possible from this training, since it does not belongs there it is about tools and forensics not about cryptography. You must have understanding what cryptography is, how it works and how it is used in anti forensics and most important hos to handle it in forensically sound way. One often overlooked issue is reliability and forensic acceptability of all used tools in processing of evidence. Good practice is to have prof of correctness for each tool in chain but also to have prof for each step in data transfer among tools.

As example I've used windows virtual machines with bitlocker, truecrypt volumes as investigation targets. We used various tools and scenarios to create memory dumps and tested if we can retrieve keys from dumps. All that was done in safe forensic framework of  proven tool like EnCase and its VFS and PDE features. Trough such features it is possible to extract keys from memory dumps or hibernation files and use and use elcomsoft tool to access and dump protected volume. That extracted data is than reacquired into original case in forensic framework tool. More or less same approach works for all of the password extrcators/breakers in elcomsoft bundle.

Practicals and hands on :

Zip peculiarities
Mils unbreakable encryption
Encryption based on dedicated external device
Password vault tool
Password recovery for truecrypt volume
Password recovery for truecrypt volume
Windows logon password
Office documents
Bitlocker password  removal in elcomsoft
Live forensic access to encrypted data
Live – encase forensic
Ftk imager – memory capture

Memory capture – words extraction

Topics discussed:

Encryption and Antiforensics
Antiforensics or counter forensics
Antiforensics methods
Hiding Data - Encryption
The Caesar Cipher
Example: rot13
Some common types of encryption
Steganography
Data destruction
Antiforensics impact
Encryption and Digital Forensics
Background
Sources
Terminology
Encryption algorithms
Encryption keys
Password/Passphrase Implementation
Key space
Breaking passwords
zip – removing encryption or changing password
Truecrypt – removing enrcyption or changing the password
Identifying encrypted data
Encryption software
Encrypted files
Approaching decryption
Human factor
Human factor - language
Decryption methodology
Dictionary Attack
Dictionary-based attack tools
Brute force attack
Brute Force Attacks tools
Key-based attack
Password Reset
Rainbow tables
Encryption and digital evidence
Accessing Encrypted Evidence
Encrypted Evidence is real
Decryption in digital forensic investigation: Perception vs. Reality
Types of Encrypted Evidence
Types of Encryption
Where are passwords
How to attack password-protected artifacts
Workflow is repetitive
Additional word sources
Encryption tools
What is there in the wild ?
Example: Passware Kit Forensic
Example: FTK PRTK/DNA
Example: Elcomsoft bundle
Forensic tool approach
Practical Decryption Tool
Dedicated Decryption Tool

Decryption as part of the general purpose forensic tool

Thursday, September 4, 2014

SANS Cyber Aces Online Tutorials

Sans again has excellent materials online for anyone interested in renewing general knowledge in computer security it is for CyberAcess program Cyberaces online tutorial

Covers the most essential areas for going into security:

1. Introduction to Operating Systems, covers Linux, Windows and using virtual labs
2. Networking, covers all important practical networking issues from layering to appllication security
3. System Administration, covers Web Scripting,Bash, PowerShell

Even if you don't plan to do certification it is good to read and remember what you forget :)

My favorite is system administration part, especially power shell, myself always being lagging on windows scritping